Your password is not safe

So, you think your password is secure? Perhaps you’ve got a system to remember your password that allows you to use a complex password? Well, good for you. Unfortunately, your password is still not secure.

The problem is, you simply can’t trust the website that you give your password to. What type of encryption do they use to store your password (if any)? Encryption (as I will talk about later) is a way to turn your password into a secret code that is more difficult for hackers to crack.

I’ve lost track of the number of websites that send you your password in plain text with their welcome email. I posted about this some time ago on a Google+ post. This isn’t just bad practice, this is almost criminal! They’ve shown no regard to the storage of your personal data by storing your password in plain text in their database. Not only that, but they’ve sent your password in plain text in an insecure email. When an email is sent, it can pass through many different servers throughout the world, and be potentially “seen” at any point as it goes on it’s way. If someone malicious sniffs out your email, they could potentially get access to your account for the website you signed up for.

But, it doesn’t stop there. I’m sure you’re not one of the many people who use the same password for multiple accounts are you?! Of course not! However, just think about the many people who do use the same password across all their accounts. If this malicious person has gained access to that one account, they could also potentially get access to your email account. Now that’s when the very bad news starts. Once they have access to your email account, they can change the password and lock you out and start to reset your passwords for all your other accounts. This could include Facebook, Twitter, Google, PayPal and perhaps even your bank. If this doesn’t scare you, then I don’t know what will.

So, how do you guard against this? Well basically, you can’t trust the website you sign up with. When you sign up, you should sign up with a temporary password- you can always change this later. If you do receive your password back in plain text, then at least you know all your other passwords are safe.

If you do use the same password for all your accounts, then don’t! I know it sounds really complicated, but there are plenty of ideas to get you started. Here is one system… come up with a sentence and your favourite number. For example “I like salted peanuts” and 15. By using the first letter of each word and the number you could get 15Ilsp. Then put the first 5 characters of the website you are signing up for at the end. For example, for Amazon, your password could be: 15IlspAmazo. You could even put another character at the end, for example, a hash- 15IlspAmazo# for extra security.

Even with this method, your password isn’t necessarily secure- it might be obvious to a hacker how your password system works. Of course, a password manager can help here, one like Last Pass. Here, all you need to remember is one password, and you can get Last Pass to automatically generate fiendishly complex passwords for all your accounts.

What should sites do to beef up their security?

One of the main reasons for me writing this blog post is because I came across another site this morning that sent my password in plain text. I was furious! Of course, it’s best to let your anger die down and think logically about this. This is the real world, and we’re all human. Not everyone knows about security, except you’d have thought the people developing these websites would. My advice is to send them a polite email, notifying them of the major security issue on their website. Kindly explain to them the issues that I have mentioned above- that potentially their customer’ accounts could be open to hackers.

Passwords should NEVER NEVER NEVER NEVER NEVER be stored in plain text. That’s just inexcusable. Passwords and other sensitive data should be encrypted at a bare minimum. However, even that is not enough. Encrypted passwords are surprisingly easy to crack with the right software. Take the password ‘passw0rd’. When this is encrypted it can then be stored as a ‘hash’. The encryption method changes this into a string of letters and numbers which is called a hash. The resultant hash is dependent on the encryption method used. There are in fact many encryption methods. Here are some examples:

So, as you can see from the above, sha512 is more secure than md5 because of it’s sheer length. The problem is that hackers have lists of common passwords and their encrypted equivalents. That way they can find out your password from the hash quite easily. There is also the “brute force” method, in which a hacker will try thousands of passwords over a period of time in order to try and guess the password. So, how do you up your security? What you need is a bit of salt…

What is a salt?

Well, you could consult Wikipedia‘s entry, but to be honest I wouldn’t bother, as you’ll end up more confused (well it confused me). I’m not going to go into huge detail here.

You add salt in cooking to enhance or change the flavour. Salt, when used in encryption, changes or enhances the hash. When you encrypt a password, you can use a salt string to add a bit of flavour and modify the hash. This means that it is very difficult for a hacker to work out what the password is, because they need to know the encryption method and the salt.

This still isn’t perfect, as hackers with enough time and processing power can try and get your password by using techniques involving rainbow tables and the like. The best advice I can give is to make sure passwords are long and complex and to investigate more advanced encryption methods such as bcrypt. I’ll be updating this post with more information on these methods in due course.

So, What next?

If you do contact the website owner to mention the security issue only to discover they really don’t care, what do you do? I’m not really into “naming and shaming”, but I do believe something needs to be done. If you have any ideas, then please leave them in the comments below. I’d love to know!

Ian is a Confident Live Marketing Coach and founder of Seriously Social. He’s an international speaker, trainer, teacher, web developer and consultant. He has a passion for making the techno-babble of live video and social media marketing easy to understand. Ian is co-founder of Select Performers – a family run web agency. As well as being a geek, husband, and dad to two kids, Ian is also a professional singer and lives near Manchester in the UK. Find out more

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Thank you Ian, i’m working on a project right now in school about Password Safety, and this really helped me understand a lot about it!

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

I’m really glad it helped! Let me know how your project goes.

You Must Be Logged In To Vote0You Must Be Logged In To Vote Reply

Translate

EnglishShow all

Original

8 months ago

Guest

Vivian

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Well why not name and shame? Not the websites who say they intend to do something about it, but we should definitely name and shame the ones that don’t give a damn! I had my ID stolen – probably via the Lush website when they were hacked a few years ago. I am naming but not shaming Lush because they did something about it and their website is now super secure. But I will name and shame these two: The Royal Horticultural Society and Crocus. The awful thing about these two is not only are they refusing to do anything… Read more »

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Thanks for your comment, Vivian. I feel your pain- so sorry for all the issues you’ve had. Whenever I’ve had problems like this I’ve contacted them directly. Unfortunately most companies don’t know how to respond when you point out that they’re storing your passwords in clear text. They just think you are being fussy. Ian

You Must Be Logged In To Vote0You Must Be Logged In To Vote Reply

Translate

EnglishShow all

Original

3 years ago

Guest

Ruby

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Thanks for the great article. I agree that using a password manager is the best option, after creating a very complex password. Even though I tested LastPass I actually found it quite complex to use. I ended up using LoginBox. It’s easier to use and set up, and it logs in automatically to the websites I need. I’d be interested to see a comparison between the various password managers. I tested a few and found not all actually log in automatically and thus stuck with the one that worked for me.

You Must Be Logged In To Vote0You Must Be Logged In To Vote Reply

Translate

EnglishShow all

Original

4 years ago

Guest

John

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

[…] iag.me. Even though his article is two years old, it’s still as relevant today as it was then. In Your Password is Not Safe, Ian shares his “I like salted peanuts” system for generating new secure passwords. I found […]

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

[…] wrote an article before about how easy it is for your password to be compromised. The truth is you can’t trust any site that you give your password to because you don’t know […]

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

[…] harvest your Twitter username and password. It’s definitely a good idea to make sure you have a good strong password for your Twitter account and one that is different to your email password, but even if you do, your […]

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

[…] Your Password is not Safe (iag.me) […]

You Must Be Logged In To Vote0You Must Be Logged In To Vote Reply

Translate

EnglishShow all

Original

6 years ago

Guest

SGL

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

What type of hash does Facebook uses now a days? wilt all the commotion around privacy and security?

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

[…] wrote an art­icle before about how easy it is for your pass­word to be com­prom­ised. The truth is you can’t trust any site that you give your pass­word to because you don’t know […]

You Must Be Logged In To Vote0You Must Be Logged In To Vote Reply

Translate

EnglishShow all

Original

7 years ago

Guest

Prepense

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

It’s a pleasure. How did it help you? I plan to update this article further with more information. Any thoughts on what I should add?

You Must Be Logged In To Vote0You Must Be Logged In To Vote Reply

Translate

EnglishShow all

Original

7 years ago

Connect with me

Additional Resources

About Ian

Ian is the founder of the Confident Live Marketing Academy and helps entrepreneurs to level up their impact, authority and profits by using live video confidently. Seriously Social is a blog focussed on live video and social media tools. He’s an international speaker, trainer, teacher and consultant.